Fix import JWT payload
Background
We are preparing for Phase 2 of the Container Registry migration which involves importing all existing container repositories to the new platform (Phase 1 involved routing all new container repositories to the new platform). See &7316 (closed) for full details of how the import will work.
The registry will make requests to import container repositories so in !78489 (merged) we added a new token scope for import
access. Unfortunately, the payload of that token was implemented incorrectly.
What does this MR do and why?
This MR updates the payload of the JWT for import access to use a registry
type and grant *
actions.
It is safe to update the method signature because this method is not yet used anywhere.
I am considering this typemaintenance rather than bug since the method was introduced in the same milestone as this MR (%14.8).
Screenshots or screen recordings
Before: Token was granted on a per-repository basis:
[1] pry(main)> token = Auth::ContainerRegistryAuthenticationService.import_access_token('gitlab-org/gitlab-test')
[2] pry(main)> JWT.decode(token, nil, false)
=> [{"access"=>[{"type"=>"repository", "name"=>"gitlab-org/gitlab-test", "actions"=>["import"]}], ....]
After: Token is granted for the registry:
[5] pry(main)> token = Auth::ContainerRegistryAuthenticationService.import_access_token
[6] pry(main)> JWT.decode(token, nil, false)
=> [{"access"=>[{"type"=>"registry", "name"=>"import", "actions"=>["*"]}], ...]
How to set up and validate locally
In the rails console:
token = Auth::ContainerRegistryAuthenticationService.import_access_token
JWT.decode(token, nil, false)
You should see:
- type:
"registry"
- name:
"import"
- actions:
["*"]
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #349743 (closed), #351587 (closed)